[Freeipa-users] best practices for subdomains
Petr Spacek
pspacek at redhat.com
Tue Mar 4 09:30:16 UTC 2014
On 3.3.2014 22:57, Brendan Kearney wrote:
> On Mon, 2014-03-03 at 09:33 +0100, Petr Spacek wrote:
>> On 1.3.2014 23:20, Brendan Kearney wrote:
>>> i am using bind-dyndb-ldap outside of freeipa, and want to create
>>> _tcp.my-domain.com and _udp.my-domain.com subdomains. i have tried, but
>>> seem to come up short and nslookup fails for the records i try to create
>>> in the subdomains. some googling and searching in the wiki have not
>>> provided me with much go on. below is an attempt at _tcp.my-domain.com
>>>
>>> dn: idnsName=_tcp.my-domain.com.,cn=dns,dc=my-domain,dc=com
>>> dnsttl: 3600
>>> idnsallowdynupdate: FALSE
>>> idnsallowsyncptr: FALSE
>>> idnsname: _tcp.my-domain.com.
>>> idnssoaexpire: 604800
>>> idnssoaminimum: 86400
>>> idnssoamname: server.my-domain.com.
>>> idnssoarefresh: 10800
>>> idnssoaretry: 900
>>> idnssoarname: root.server.my-domain.com.
>>> idnssoaserial: 1
>>> idnsupdatepolicy: grant MY-DOMAIN.COM krb5-self * A;
>>> idnszoneactive: TRUE
>>> nsrecord: server.my-domain.com.
>>> objectclass: top
>>> objectclass: idnsZone
>>> objectclass: idnsRecord
>>>
>>> what is the correct way to create a subdomain?
>>
>> First of all, do you really want to create *subdomains* for _tcp and _udp or
>> do you just need to create couple records like _ldap._tcp in a existing
>> domain? It is very unusual to create separate subdomains for _tcp and _udp.
>>
>> I'm attaching small snippet which shows how to add _ldap._tcp SRV record to
>> existing domain ipa.example.
>>
>> Please be so kind and send us information mentioned on
>> https://fedorahosted.org/bind-dyndb-ldap/wiki/BugReporting#a3.Whatweneedtoknow
>>
>> We would like to know how users use bind-dyndb-ldap, which LDAP server is used
>> outside FreeIPA and so on.
>>
>> Have a nice day!
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> What distribution you use? Fedora
> Which distribution version you use? Fedora 20, with latest updates
> Which architecture you use? x86_64 on a qemu VM
>
> What plugin version you use? bind-dyndb-ldap-3.5-1.fc20.x86_64
> Do you use bind-dyndb-ldap as part of FreeIPA installation? no, using
> openldap-servers-2.4.39-2.fc20.x86_64
> Which version of BIND you use? bind-9.9.4-11.P2.fc20.x86_64
>
> Please provide dynamic-db section from configuration
> file /etc/named.conf
> dynamic-db "my-domain.com" {
> library "ldap.so";
> arg "uri ldap://127.0.0.1/";
> arg "base cn=dns,dc=my-domain,dc=com";
> arg "auth_method simple";
> arg "bind_dn cn=Manager,dc=my-domain,dc=com";
> arg "password *****";
> arg "psearch no";
> // arg "serial_autoincrement yes";
> arg "sync_ptr yes";
> arg "dyn_update yes";
> arg "connections 2";
> arg "cache_ttl 300";
> arg "verbose_checks yes";
> };
>
> Do you have some other text based or DLZ zones configured? no
> Do you have some global forwarders configured in BIND configuration
> file? no
>
> Do you have some settings in global configuration object in LDAP?
> dn: cn=dns,dc=my-domain,dc=com
> cn: dns
> idnspersistentsearch: FALSE
> idnszonerefresh: 30
> objectclass: top
> objectclass: nsContainer
> objectclass: idnsConfigObject
>
> without a doubt i want to use subdomains (or subzones, if that the
> correct term) for _tcp and _udp. kerberos, kerberos-adm,
> kerberos-master, kpasswd, ldap, nfs4, wpad and ntp are the SRV records i
> want to manage, and having them in the regular forward zone is not as
> clean, neat and organized as i want to be. also, i may want to have
> forward subdomains (sub.my-domain.com, for example, with
> testhost.sub.my-domain.com as an A record).
Please see attached LDIFs.
_udp.example.com.ldif adds new zone _udp.example.com and one SRV records into it.
example.com.ldif adds *required* delegation from parent zone example.com to
_udp.example.com.
Please do not forget that NS records have to be valid (i.e. have to point to
an existing A/AAAA records) so edit them as appropriate.
Delegation via NS records from parent zone is *required* by DNS standards,
never omit them. (It could work for a while without them but things will fail
as soon as you try to debug something, direct client to use more than 1 DNS
server etc.)
Note that you have to create a separate zone *and required delegation* for
each separate sub-tree, i.e. even for _kerberos name in example.com etc.
I have warned you :-) Have a nice day!
--
Petr^2 Spacek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: example.com.ldif
Type: text/x-ldif
Size: 746 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140304/24f19196/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: _udp.example.com.ldif
Type: text/x-ldif
Size: 781 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140304/24f19196/attachment-0001.bin>
More information about the Freeipa-users
mailing list